Analysis Overview
SHA256
6c81b1592687b97ae97b015440c1664396933b9cee5ea87c6ffd26cb30f255d1
Threat Level: Known bad
The file !~!SetUp_2025_Pa$$W0rd$s!!%!~.zip was found to be: Known bad.
Malicious Activity Summary
Lumma Stealer
Checks computer location settings
Suspicious use of SetThreadContext
Enumerates physical storage devices
Suspicious use of FindShellTrayWindow
Suspicious behavior: AddClipboardFormatListener
Suspicious use of SetWindowsHookEx
Opens file in notepad (likely ransom note)
Modifies registry class
Suspicious behavior: GetForegroundWindowSpam
Checks processor information in registry
Suspicious behavior: MapViewOfSection
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
Enumerates system info in registry
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-07-11 03:55
Signatures
Analysis: behavioral6
Detonation Overview
Submitted
2024-07-11 03:55
Reported
2024-07-11 03:58
Platform
win10v2004-20240709-es
Max time kernel
96s
Max time network
155s
Command Line
Signatures
Lumma Stealer
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 732 set thread context of 4528 | N/A | C:\Users\Admin\AppData\Local\Temp\Setup.exe | C:\Windows\SysWOW64\more.com |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Setup.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Setup.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\more.com | N/A |
| N/A | N/A | C:\Windows\SysWOW64\more.com | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Setup.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\more.com | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 732 wrote to memory of 4528 | N/A | C:\Users\Admin\AppData\Local\Temp\Setup.exe | C:\Windows\SysWOW64\more.com |
| PID 732 wrote to memory of 4528 | N/A | C:\Users\Admin\AppData\Local\Temp\Setup.exe | C:\Windows\SysWOW64\more.com |
| PID 732 wrote to memory of 4528 | N/A | C:\Users\Admin\AppData\Local\Temp\Setup.exe | C:\Windows\SysWOW64\more.com |
| PID 732 wrote to memory of 4528 | N/A | C:\Users\Admin\AppData\Local\Temp\Setup.exe | C:\Windows\SysWOW64\more.com |
| PID 4528 wrote to memory of 1192 | N/A | C:\Windows\SysWOW64\more.com | C:\Windows\SysWOW64\SearchIndexer.exe |
| PID 4528 wrote to memory of 1192 | N/A | C:\Windows\SysWOW64\more.com | C:\Windows\SysWOW64\SearchIndexer.exe |
| PID 4528 wrote to memory of 1192 | N/A | C:\Windows\SysWOW64\more.com | C:\Windows\SysWOW64\SearchIndexer.exe |
| PID 4528 wrote to memory of 1192 | N/A | C:\Windows\SysWOW64\more.com | C:\Windows\SysWOW64\SearchIndexer.exe |
| PID 4528 wrote to memory of 1192 | N/A | C:\Windows\SysWOW64\more.com | C:\Windows\SysWOW64\SearchIndexer.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\Setup.exe"
C:\Windows\SysWOW64\more.com
C:\Windows\SysWOW64\more.com
C:\Windows\SysWOW64\SearchIndexer.exe
C:\Windows\SysWOW64\SearchIndexer.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 17.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | bittercoldzzdwu.shop | udp |
| US | 172.67.134.113:443 | bittercoldzzdwu.shop | tcp |
| US | 8.8.8.8:53 | bouncedgowp.shop | udp |
| US | 172.67.214.52:443 | bouncedgowp.shop | tcp |
| US | 8.8.8.8:53 | bannngwko.shop | udp |
| US | 104.21.81.196:443 | bannngwko.shop | tcp |
| US | 8.8.8.8:53 | bargainnykwo.shop | udp |
| US | 8.8.8.8:53 | 113.134.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 52.214.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.81.21.104.in-addr.arpa | udp |
| US | 104.21.47.93:443 | bargainnykwo.shop | tcp |
| US | 8.8.8.8:53 | 93.47.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | affecthorsedpo.shop | udp |
| US | 172.67.135.137:443 | affecthorsedpo.shop | tcp |
| US | 8.8.8.8:53 | radiationnopp.shop | udp |
| US | 172.67.196.169:443 | radiationnopp.shop | tcp |
| US | 8.8.8.8:53 | 137.135.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | answerrsdo.shop | udp |
| US | 172.67.203.63:443 | answerrsdo.shop | tcp |
| US | 8.8.8.8:53 | publicitttyps.shop | udp |
| US | 172.67.134.88:443 | publicitttyps.shop | tcp |
| US | 8.8.8.8:53 | 169.196.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 63.203.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | benchillppwo.shop | udp |
| US | 104.21.81.128:443 | benchillppwo.shop | tcp |
| US | 8.8.8.8:53 | steamcommunity.com | udp |
| US | 8.8.8.8:53 | 88.134.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 128.81.21.104.in-addr.arpa | udp |
| GB | 23.214.143.155:443 | steamcommunity.com | tcp |
| US | 8.8.8.8:53 | reinforcedirectorywd.shop | udp |
| US | 104.21.83.48:443 | reinforcedirectorywd.shop | tcp |
| US | 8.8.8.8:53 | 155.143.214.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 48.83.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 31.243.111.52.in-addr.arpa | udp |
Files
memory/732-0-0x00000000744B0000-0x00000000744C4000-memory.dmp
memory/732-1-0x00007FFE06510000-0x00007FFE06705000-memory.dmp
memory/732-6-0x00000000744B0000-0x00000000744C4000-memory.dmp
memory/732-5-0x00000000744C2000-0x00000000744C4000-memory.dmp
memory/732-7-0x00000000744B0000-0x00000000744C4000-memory.dmp
memory/4528-10-0x00000000744B0000-0x00000000744C4000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\8ff0c78a
| MD5 | e3ac52c728074bfb1af75124bd7e0b71 |
| SHA1 | 5dcdf46b2c7e35b342784388d09b5ab030103e5c |
| SHA256 | b453f86b147e78ba0f4ce1009b2962e52aefbf00dcf8590f96c5e248e32e7e67 |
| SHA512 | 609df55e6dce9c55e904f3513dd897eb97d8d42d268b629352fefa74382ec4afc53b8579ea22b286ef4000a53182cd1c90aa9d6497b74cc9278acdd9fc48a449 |
memory/4528-12-0x00007FFE06510000-0x00007FFE06705000-memory.dmp
memory/4528-13-0x00000000744B0000-0x00000000744C4000-memory.dmp
memory/4528-14-0x00000000744B0000-0x00000000744C4000-memory.dmp
memory/4528-16-0x00000000744B0000-0x00000000744C4000-memory.dmp
memory/1192-17-0x00007FFE06510000-0x00007FFE06705000-memory.dmp
memory/1192-18-0x0000000000850000-0x00000000008BB000-memory.dmp
memory/1192-19-0x000000000059B000-0x00000000005A2000-memory.dmp
memory/1192-20-0x0000000000850000-0x00000000008BB000-memory.dmp
memory/1192-21-0x0000000000850000-0x00000000008BB000-memory.dmp
Analysis: behavioral7
Detonation Overview
Submitted
2024-07-11 03:55
Reported
2024-07-11 03:56
Platform
win7-20240708-es
Max time kernel
0s
Max time network
6s
Command Line
Signatures
Enumerates physical storage devices
Opens file in notepad (likely ransom note)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\NOTEPAD.EXE | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2700 wrote to memory of 1912 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\NOTEPAD.EXE |
| PID 2700 wrote to memory of 1912 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\NOTEPAD.EXE |
| PID 2700 wrote to memory of 1912 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\NOTEPAD.EXE |
Processes
C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\avenue.css
C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\avenue.css
Network
Files
Analysis: behavioral8
Detonation Overview
Submitted
2024-07-11 03:55
Reported
2024-07-11 03:56
Platform
win10v2004-20240709-es
Max time kernel
2s
Max time network
6s
Command Line
Signatures
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\Control Panel\International\Geo\Nation | C:\Windows\system32\cmd.exe | N/A |
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000_Classes\Local Settings | C:\Windows\system32\cmd.exe | N/A |
Opens file in notepad (likely ransom note)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\NOTEPAD.EXE | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3036 wrote to memory of 3996 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\NOTEPAD.EXE |
| PID 3036 wrote to memory of 3996 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\NOTEPAD.EXE |
Processes
C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\avenue.css
C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\avenue.css
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
Files
Analysis: behavioral9
Detonation Overview
Submitted
2024-07-11 03:55
Reported
2024-07-11 03:58
Platform
win7-20240704-es
Max time kernel
120s
Max time network
122s
Command Line
Signatures
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2788 wrote to memory of 2768 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2788 wrote to memory of 2768 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2788 wrote to memory of 2768 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2788 wrote to memory of 2768 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2788 wrote to memory of 2768 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2788 wrote to memory of 2768 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2788 wrote to memory of 2768 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\d3dx9_43.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\d3dx9_43.dll,#1
Network
Files
Analysis: behavioral2
Detonation Overview
Submitted
2024-07-11 03:55
Reported
2024-07-11 03:57
Platform
win10v2004-20240709-es
Max time kernel
34s
Max time network
37s
Command Line
Signatures
Processes
C:\Windows\Explorer.exe
C:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\!~!SetUp_2025_Pa$$W0rd$s!!%!~.zip
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 140.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
Files
Analysis: behavioral3
Detonation Overview
Submitted
2024-07-11 03:55
Reported
2024-07-11 03:57
Platform
win7-20240708-es
Max time kernel
76s
Max time network
17s
Command Line
Signatures
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000_Classes\Local Settings | C:\Windows\system32\rundll32.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2512 wrote to memory of 2548 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\rundll32.exe |
| PID 2512 wrote to memory of 2548 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\rundll32.exe |
| PID 2512 wrote to memory of 2548 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\rundll32.exe |
Processes
C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\!~!SetUp_2025_Pa$$W0rd$s!!%!~.rar
C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\!~!SetUp_2025_Pa$$W0rd$s!!%!~.rar
Network
Files
Analysis: behavioral4
Detonation Overview
Submitted
2024-07-11 03:55
Reported
2024-07-11 03:57
Platform
win10v2004-20240709-es
Max time kernel
3s
Max time network
11s
Command Line
Signatures
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000_Classes\Local Settings | C:\Windows\system32\cmd.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000_Classes\Local Settings | C:\Windows\system32\OpenWith.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
Processes
C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\!~!SetUp_2025_Pa$$W0rd$s!!%!~.rar
C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 20.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 57.169.31.20.in-addr.arpa | udp |
Files
Analysis: behavioral12
Detonation Overview
Submitted
2024-07-11 03:55
Reported
2024-07-11 03:57
Platform
win10v2004-20240709-es
Max time kernel
34s
Max time network
41s
Command Line
Signatures
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\BIOS | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
Suspicious behavior: AddClipboardFormatListener
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
Suspicious use of SetWindowsHookEx
Processes
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\heartthrob.doc" /o ""
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 97.32.109.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 25.73.42.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
Files
memory/4356-0-0x00007FFBF20D0000-0x00007FFBF20E0000-memory.dmp
memory/4356-2-0x00007FFBF20D0000-0x00007FFBF20E0000-memory.dmp
memory/4356-1-0x00007FFBF20D0000-0x00007FFBF20E0000-memory.dmp
memory/4356-4-0x00007FFBF20D0000-0x00007FFBF20E0000-memory.dmp
memory/4356-3-0x00007FFBF20D0000-0x00007FFBF20E0000-memory.dmp
memory/4356-5-0x00007FFC320ED000-0x00007FFC320EE000-memory.dmp
memory/4356-7-0x00007FFC32050000-0x00007FFC32245000-memory.dmp
memory/4356-8-0x00007FFC32050000-0x00007FFC32245000-memory.dmp
memory/4356-9-0x00007FFC32050000-0x00007FFC32245000-memory.dmp
memory/4356-11-0x00007FFC32050000-0x00007FFC32245000-memory.dmp
memory/4356-13-0x00007FFC32050000-0x00007FFC32245000-memory.dmp
memory/4356-12-0x00007FFC32050000-0x00007FFC32245000-memory.dmp
memory/4356-14-0x00007FFBEFCA0000-0x00007FFBEFCB0000-memory.dmp
memory/4356-10-0x00007FFC32050000-0x00007FFC32245000-memory.dmp
memory/4356-6-0x00007FFC32050000-0x00007FFC32245000-memory.dmp
memory/4356-16-0x00007FFC32050000-0x00007FFC32245000-memory.dmp
memory/4356-15-0x00007FFC32050000-0x00007FFC32245000-memory.dmp
memory/4356-17-0x00007FFBEFCA0000-0x00007FFBEFCB0000-memory.dmp
memory/4356-26-0x00007FFC32050000-0x00007FFC32245000-memory.dmp
Analysis: behavioral1
Detonation Overview
Submitted
2024-07-11 03:55
Reported
2024-07-11 03:56
Platform
win7-20240705-es
Max time kernel
14s
Max time network
18s
Command Line
Signatures
Processes
C:\Windows\Explorer.exe
C:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\!~!SetUp_2025_Pa$$W0rd$s!!%!~.zip
Network
Files
Analysis: behavioral5
Detonation Overview
Submitted
2024-07-11 03:55
Reported
2024-07-11 03:58
Platform
win7-20240704-es
Max time kernel
121s
Max time network
123s
Command Line
Signatures
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2644 set thread context of 2824 | N/A | C:\Users\Admin\AppData\Local\Temp\Setup.exe | C:\Windows\SysWOW64\more.com |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Setup.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Setup.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\more.com | N/A |
| N/A | N/A | C:\Windows\SysWOW64\more.com | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Setup.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\more.com | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\Setup.exe"
C:\Windows\SysWOW64\more.com
C:\Windows\SysWOW64\more.com
C:\Windows\SysWOW64\SearchIndexer.exe
C:\Windows\SysWOW64\SearchIndexer.exe
Network
Files
memory/2644-0-0x00000000748B0000-0x0000000074947000-memory.dmp
memory/2644-1-0x0000000077860000-0x0000000077A09000-memory.dmp
memory/2644-6-0x00000000748B0000-0x0000000074947000-memory.dmp
memory/2644-5-0x00000000748C2000-0x00000000748C4000-memory.dmp
memory/2644-7-0x00000000748B0000-0x0000000074947000-memory.dmp
memory/2824-10-0x00000000748B0000-0x0000000074947000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1ecf251b
| MD5 | 4ff9b3c87284e5d435149822d5a3696c |
| SHA1 | a48e606667e30e0c72dc928a3902f0d4cdd2a7a8 |
| SHA256 | 51eaf69a5e2299aafc413bd1e9f6482853b096ae9fba4473cfe91ce3d595111f |
| SHA512 | a196f1c19b97ab8f69ed7ec6497f318e5e113c08e3869a3e7efad0ec547d0d82c3425920c7c2ec13abf741ee3f6384b0e10b171b0aee8906c35a2325d325688f |
memory/2824-12-0x0000000077860000-0x0000000077A09000-memory.dmp
memory/2824-13-0x00000000748B0000-0x0000000074947000-memory.dmp
memory/2824-14-0x00000000748B0000-0x0000000074947000-memory.dmp
memory/2824-16-0x00000000748B0000-0x0000000074947000-memory.dmp
memory/2564-17-0x0000000077860000-0x0000000077A09000-memory.dmp
memory/2564-18-0x0000000000150000-0x00000000001BB000-memory.dmp
memory/2564-21-0x0000000000150000-0x00000000001BB000-memory.dmp
memory/2564-22-0x000000000044D000-0x0000000000455000-memory.dmp
Analysis: behavioral10
Detonation Overview
Submitted
2024-07-11 03:55
Reported
2024-07-11 03:56
Platform
win10v2004-20240709-es
Max time kernel
35s
Max time network
40s
Command Line
Signatures
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4644 wrote to memory of 4672 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 4644 wrote to memory of 4672 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 4644 wrote to memory of 4672 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\d3dx9_43.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\d3dx9_43.dll,#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 69.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 192.142.123.92.in-addr.arpa | udp |
Files
Analysis: behavioral11
Detonation Overview
Submitted
2024-07-11 03:55
Reported
2024-07-11 03:57
Platform
win7-20240708-es
Max time kernel
25s
Max time network
18s
Command Line
Signatures
Suspicious behavior: AddClipboardFormatListener
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
Suspicious use of SetWindowsHookEx
Processes
C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\heartthrob.doc"
Network
Files
memory/2740-0-0x000000002F1E1000-0x000000002F1E2000-memory.dmp
memory/2740-1-0x000000005FFF0000-0x0000000060000000-memory.dmp
memory/2740-2-0x000000007398D000-0x0000000073998000-memory.dmp